TL;DR: WPScan has one of the largest databases available to help you scan and detect known WordPress vulnerabilities. Learn more about:

Keeping your WordPress website safe and secure is an ongoing process that involves a wide range of tasks. We always advise that you sit down to properly assess the security of your website from all angles to get a solid security foundation. From there, it’s a matter of developing a series of good habits that you carry out on a regular basis.

Whether it’s as part of a larger security effort or you are just taking steps to implement simple security practices, you’re going to have to make sure that your plugins, themes, and WordPress version don’t have any known security risks or vulnerabilities. After all, 52% of WordPress vulnerabilities are because of plugins and WordPress websites suffer 90,000 attempted attacks per minute. It’s vital that you keep your website as secure as possible.

photo of an unlocked padlock on laptop keyword

How is my website vulnerable?

There are many ways that hackers can try to infiltrate your system. As a small example, incorrectly written code in one of your plugins could allow a hacker to input malicious database statements into an input field on your contact form (known as SQL injection). This vulnerability would provide unauthorized access to your database and all the data stored there. In the worst cases, the attacker can then change your user passwords and gain complete control of your website.

Luckily, there are several security plugins available, both paid and free, that help you to keep your website secure. However, very few of them both detect and let you know if you have a plugin or theme installed with a known vulnerability.

Good news—this is exactly what the WPScan plugin does. Even better, the plugin is entirely free for one average-sized website. If you have multiple websites or a website with lots of installed plugins, you will have to pay for an upgraded plan.

Once installed and activated, you can configure the WPScan plugin to carry out regular scans that determine if you have any known vulnerabilities in the code running your website. The plugin will scan your website against an ever-updated database of WordPress vulnerabilities. If there is anything suspicious, the plugin will immediately alert you so you can take action. 

And if you’re wondering if you can trust the database, the short answer is yes. Before any new vulnerability is officially added to the database, it is reviewed by an expert who sources and verifies it. 

photo of a woman reviewing a business report

Why is the WPScan WordPress plugin a good option?

First of all, its popularity contributes to its effectiveness. Since so many security professionals within the WordPress community use it, they actively choose to submit vulnerabilities to their database. As a result, WPScan is simply the most extensive database available with over 20,000 vetted entries. Having access to the most up-to-date points of entry for attackers is vital for ongoing security. 

The importance of being the first to know about new WordPress vulnerabilities cannot be overstated. When a new potential breach opens up, it’s a race against time to protect yourself before it is exploited. With WPScan, you are able to act faster than malicious actors to fix any potential issues before they become active problems. 

In short, it’s the most user-friendly WordPress security plugin available that draws from an extensive and constantly updated database.

How to setup WPScan

Step 1. Install and activate

Begin like you would when installing any plugin. Go to the plugins page on your WordPress website, search for “WPScan,” and install it. Once installed, you can go ahead and activate it. 

Once activated, you should see a notification to grab an Application Programming Interface (API) token. If you are unfamiliar with APIs, they provide the ability for two web applications to interact with each other. This API token is your password allowing your website to securely talk to the WPScan database. 

The WPScan API allows free accounts to send up to 25 API requests per day. This will be enough to check WordPress, and up to 24 plugins and/or themes that are installed, which should be enough for an average sized website. 

Step 2. Log into your WPScan account

To get your API token, you can either click on the link provided in the notification or go to the WPScan website, and click get your free API token.

This will involve filling out a form, which you can then confirm via your email. Now, you’re able to log into your WPScan account. On the dashboard, you will be able to see your API token waiting for you.

Step 3. Activate your API key

Now you’re ready to go back to your WordPress website to the WPScan plugin settings page. You will see a relevant field where you can copy and paste the API token from your WPScan dashboard.

Step 4: Configure your settings

You should still be in the settings on your WPScan plugin. Before you leave, make sure to select the frequency you want for your scans.

With the free API key, you will only be able to run one scan per day. The paid option allows for daily, twice a day, or hourly options, as well as defining the specific times. If for any reason you want to disable the checks or exclude certain themes and plugins, you can also do it from here. 

Step 5: Monitor your results

On the reports screen, you will see any issues that have been found. It’s important to review this regularly to make sure you stay on top of any necessary actions. You can also opt to receive notifications through the meta box on the right hand side. 

As we mentioned before, staying on top of your WordPress security is an ongoing process that requires dedicating time to various tasks. It’s important to note that WPScan is a useful tool to alert you to any known WordPress vulnerabilities, but it doesn’t scan for malware or actively protect you against attack. You will need to take extra steps to address any issues found.

If you would like peace of mind without the hassle, our monthly Performance Report at Watchdog Studio utilizes the WPScan API to informs you when your website becomes vulnerable while also providing key performance metrics to help you make better business decisions. With us on watch, we can help you take care of anything. Book a consultation for more information.

About The Author
Justin Korn

Justin is the founder of Watchdog Studio, and former Director of IT at both Wells Fargo Securities and AirTreks. A prodigy of the dotcom era, he now provides businesses in Oakland, California and the surrounding Bay Area with honest, expert website services to drive growth.